Menu
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • Brett's Blog
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
1 minute reading time (112 words)

How easy (or difficult) is it to build a WinFE with WinBuilder?

Digital Forensics
Brett Shavers
Wednesday, 13 April 2011
5118 Hits
11 Comments

An easy quickstart guide to build your WinFE ISO...


1) Extract WinBuilder to the root of your C:/ drive

2) Run WinBuilder

3) Click 3 buttons and you are done.

If you want more features, such as additional programs, network support, audio, more drivers, customized wallpaper, create a bootable WinFE flashdrive, etc..., then you just need to push a few more buttons.  Download and read the write up (Users Guide to WinFE) for details on adding features.  It's just as easy as pushing the 3 buttons.

These screenshots show all that is needed.  Now, after looking at what is needed to create your WinFE, what is the reason you haven't started yet?.....




Tweet
Share on Pinterest
0
Friendly reminders are always nice
Triage Notes and WinFE

About the author

Brett Shavers

Brett Shavers

 

Comments 11

Guest
Guest - eskwebdesign on Friday, 15 April 2011 21:20

Thanks a lot!

Really easy to do, perfect.

0 Cancel Reply
Thanks a lot! Really easy to do, perfect.
Cancel Update Comment
Guest
Guest - Gary Bales on Tuesday, 04 October 2011 02:30

I thought the main purpose of a 'WinFE' is to be able to view/browse a system after booting to a 'WinFE' environment which prevents changes to the hard drive.

I ran WinBulder according to the instructions in this post, but have a question.

After running and watching the creation of the boot ISO for WinFE I didn't see anything that leads me to believe that my run of WinBuilder [082] is a WinFE and not just a WinPE.

What part of running WinBuilder makes this a "WinFE" and not just a "WinPE"?

0 Cancel Reply
I thought the main purpose of a 'WinFE' is to be able to view/browse a system after booting to a 'WinFE' environment which prevents changes to the hard drive. I ran WinBulder according to the instructions in this post, but have a question. After running and watching the creation of the boot ISO for WinFE I didn't see anything that leads me to believe that my run of WinBuilder [082] is a WinFE and not just a WinPE. What part of running WinBuilder makes this a "WinFE" and not just a "WinPE"?
Cancel Update Comment
Guest
Guest - Brett Shavers on Tuesday, 04 October 2011 04:10

The modification of the two registry keys make it forensic. Set up WinBuilder with the WinFE scripts to modify the registry, or build with the batch files via command line. Boot to the WinFE you create and test to ensure the write protection works. You'll need to use DiskPart via the command line in WinFE to toggle the drives on/offline to test. You can also look at the modified WinFE registry keys to ensure the keys were modified.

0 Cancel Reply
The modification of the two registry keys make it forensic. Set up WinBuilder with the WinFE scripts to modify the registry, or build with the batch files via command line. Boot to the WinFE you create and test to ensure the write protection works. You'll need to use DiskPart via the command line in WinFE to toggle the drives on/offline to test. You can also look at the modified WinFE registry keys to ensure the keys were modified.
Cancel Update Comment
Guest
Guest - Gary Bales on Tuesday, 04 October 2011 03:15

I have created a boot CD using WinBuilder, 'VistaCAPI v.12' using Vista DVD and booted a PC to it and the hard drive was mounted RW by default. Also, I can find no were in the GUI were I can set an HD to read-only.
It would seem that there must be a different download of WinBuilder for a 'WinFE' build.

0 Cancel Reply
I have created a boot CD using WinBuilder, 'VistaCAPI v.12' using Vista DVD and booted a PC to it and the hard drive was mounted RW by default. Also, I can find no were in the GUI were I can set an HD to read-only. It would seem that there must be a different download of WinBuilder for a 'WinFE' build.
Cancel Update Comment
Guest
Guest - Brett Shavers on Tuesday, 04 October 2011 04:06

The script now in the box.net site (and on reboot.pro) configures the WinPE to FE. There is no GUI in WinFE that toggles drives on/offline. There is a GUI that Microsoft is reviewing to be released, but until that time, you must use the command line tool "DiskPart". Instructions are in the how to use winfe paper.

0 Cancel Reply
The script now in the box.net site (and on reboot.pro) configures the WinPE to FE. There is no GUI in WinFE that toggles drives on/offline. There is a GUI that Microsoft is reviewing to be released, but until that time, you must use the command line tool "DiskPart". Instructions are in the how to use winfe paper.
Cancel Update Comment
Guest
Guest - Gary Bales on Tuesday, 04 October 2011 03:23

When following the links from the download menu (on this site), one just ends up the the WinBuilder site, were there is little mention of a 'WinFE' build that can be downloaded. Every link I found for 'WinFE_Builder.zip' leads back to the main download.

Is there a WinBuilder 'project', 'add-on', etc. that will modify the build so that the hard drives on the target PC are 'read-only'?

0 Cancel Reply
When following the links from the download menu (on this site), one just ends up the the WinBuilder site, were there is little mention of a 'WinFE' build that can be downloaded. Every link I found for 'WinFE_Builder.zip' leads back to the main download. Is there a WinBuilder 'project', 'add-on', etc. that will modify the build so that the hard drives on the target PC are 'read-only'?
Cancel Update Comment
Guest
Guest - Brett Shavers on Tuesday, 04 October 2011 04:06

I put the script in the Box.net on this site. It is on the reboot.pro site as well. Put the appropriate script (32 or 64bit) in the "tweaks" folder structure of Winbuilder. Adjust as you need when you set up that script from within WinBuilder.

0 Cancel Reply
I put the script in the Box.net on this site. It is on the reboot.pro site as well. Put the appropriate script (32 or 64bit) in the "tweaks" folder structure of Winbuilder. Adjust as you need when you set up that script from within WinBuilder.
Cancel Update Comment
Guest
Guest - Gary Bales on Tuesday, 04 October 2011 05:23

Still cannot find the winfe winbuilder script. What do you mean 'I put the script in the box.net on this site'? I have Googled 'site:box.net +winfe' and got nothing. Cannot find the winfe script listed anywhere in the 'downloads' and have searching/reading posts on the reboot.pro site for 'winfe' for over an hour and still haven't found the script.

Tried making my own, and puttiing it in the 'tweaks' folder but when I start WinBuilder backup the 'WinFE' doesn't appear in the llist.

Here's my "winfe.script":
[main]
Title=Win-FE
Type=Script
Selected=True
Level=7

[Process]
RegHiveLoad,Tmp_System,%RegSystem%
REG ADD HKLM\WINFE2\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f
REG ADD HKLM\WINFE2\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 3 /f
RegHiveUnLoad,Tmp_System

Any suggestions? BTW, thanks for the fast response!

0 Cancel Reply
Still cannot find the winfe winbuilder script. What do you mean 'I put the script in the box.net on this site'? I have Googled 'site:box.net +winfe' and got nothing. Cannot find the winfe script listed anywhere in the 'downloads' and have searching/reading posts on the reboot.pro site for 'winfe' for over an hour and still haven't found the script. Tried making my own, and puttiing it in the 'tweaks' folder but when I start WinBuilder backup the 'WinFE' doesn't appear in the llist. Here's my "winfe.script": [main] Title=Win-FE Type=Script Selected=True Level=7 [Process] RegHiveLoad,Tmp_System,%RegSystem% REG ADD HKLM\WINFE2\ControlSet001\Services\MountMgr /v NoAutoMount /t REG_DWORD /d 1 /f REG ADD HKLM\WINFE2\ControlSet001\Services\partmgr\Parameters /v SanPolicy /t REG_DWORD /d 3 /f RegHiveUnLoad,Tmp_System Any suggestions? BTW, thanks for the fast response!
Cancel Update Comment
Guest
Guest - Brett Shavers on Tuesday, 04 October 2011 11:44

Best to use the WinFE script. Its been tested already by dozens (or more) users.

0 Cancel Reply
Best to use the WinFE script. Its been tested already by dozens (or more) users.
Cancel Update Comment
Guest
Guest - Gary Bales on Wednesday, 05 October 2011 03:37

That is the crux of my problem, I cannot find the script will you please post a link to it? Tks.

0 Cancel Reply
That is the crux of my problem, I cannot find the script will you please post a link to it? Tks.
Cancel Update Comment
Guest
Guest - Gary Bales on Tuesday, 04 October 2011 05:44

Well after I removed all other scripts from the 'tweaks' folder then my "winfe.script" was displayed in the list. Now to test it.

0 Cancel Reply
Well after I removed all other scripts from the 'tweaks' folder then my "winfe.script" was displayed in the list. Now to test it.
Cancel Update Comment
Guest
Sunday, 14 August 2022

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/

direct link

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.

Brett's blog

© 2022 Brett Shavers